As Brad Duncan from malware-traffic-analysis.net points out there has been a recent change in patterns for the pseudoDarkleech campaign. It has shifted from large blocks of obfuscated code on the compromised sites to the use of injected iframes as the initial redirection mechanism:

Return HTTP traffic from the compromised site did trigger an ET alert in Squil for an unknown redirector leading to an EK, however, there weren’t any alerts for the EK landing page or the post-infection callback traffic: